The SignServer team is pleased to announce the release of SignServer 5.9. This release adds support to optionally use a Keyfactor branded web interface. The support for Android signing in cloud deployments has also been improved. SignServer 5.9 uses upgraded versions of the log4j and OpenPDF libraries.

Included in this release are also the changes made in SignServer 5.8.2, which was only released internally. 

Deployment options include SignServer Hardware Appliance and SignServer Cloud.


Keyfactor branded Web Interface

Meet the new face of SignServer! SignServer 5.9 includes a new web theme as SignServer is part of the Keyfactor product portfolio. The functionality offered by the web interface in previous versions is still available and the default web theme still uses PrimeKey colors. When upgrading to SignServer 5.9 from a previous version, you can select whether to enable the new theme or not. 

Android Signing Improvements for Cloud Deployments

Based on an improvement in SignServer APK signers it is now possible to store signing certificates in the signer rather than in the crypto token. This option is particularly valuable in deployments where the used crypto token does not support storing certificates which is the case for example in AWS CloudHSM.  To store the signing certificate in the worker configuration, disable the Install in Token option, see Workers Install Certificates Page for more information.

Log4j Upgrade

As has been stated before, SignServer was never vulnerable to CVE-2021-44228 nor the subsequent findings due to the fact that SignServer handles logging through JBoss EAP/WildFly, merely facilitated by the Log4j API. Log4j version 1 has been included in the source mainly as a building block and not used in the main deployment, and is only ever directly referenced from the CLI, but will hence still trip automatic vulnerability scanners. As we understand that some of our customers need to comply with auditors and other regulatory authorities, we have decided to accelerate the planned upgrade of Log4j to the latest release in order to dissolve any questions about SignServer being vulnerable. 

Upgrade Information

Review the SignServer Upgrade Notes for important information about this release. For upgrade instructions, see Upgrade SignServer.

SignServer 5.9.0 is included in SignServer Hardware Appliance 3.9.5 and SignServer Cloud 1.11.0.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in SignServer 5.9.0, refer to our JIRA Issue Tracker.

Issues Resolved in 5.9.0

Released April 2022

New Features

DSS-2405 - Support for JBoss EAP 7.4

DSS-2438 - Support for switching web theme


DSS-1498 - Support in PlainSigner for client-side hashing with PKCS1 v1.5 with encoding on server-side

DSS-2192 - Use the new worker properties bulk editing method in system tests

DSS-2352 - Support in APK signers for certificate in config instead of import it into the token

DSS-2390 - Upgrade JackNJI11 to a version with upstreams and our changes - 1.2-pk2

DSS-2415 - Support DER-reencode also for client-side hashing mode in CMSSigner

DSS-2423 - MasterListSigner support for files larger than 1 MB

DSS-2425 - Add support for signing a protected PDF without supplying owner password

DSS-2426 - Upgrade/migrate to OpenPDF in PDFSigner

DSS-2435 - Documentation note regarding SoftHSM2 and key wrapping mechnisms

DSS-2436 - Do not fail for directories and clarify in documentation that -indir does not go into directories

DSS-2437 - Remove custom security manager used in some junit tests

DSS-2439 - Improve the test coverage for P11NG

DSS-2442 - Initialize signing closer to the actual signing in PDFSigner

DSS-2443 - Update copyright year for 2022

DSS-2444 - Upgrade JackNJI11 to 1.2-pk3

Bug Fixes

DSS-1985 - UsernamePasswordAuthorizer uses platform encoding

DSS-2440 - Failing or aborting in the middle of a multi-part signing can lead to CKR_OPERATION_ACTIVE errors when that session is later being reused

Issues Resolved in 5.8.2

Released February 2022

New Features

DSS-2334 - System tests using already configured Peers connection


DSS-2403 - Update documentation for WildFly 24

DSS-2424 - Upgrade log4j library

DSS-2206 - CESeCore Merge: Configure full Azure Key Vault Name which would include the DNS FQDN

DSS-2418 - Upgrade JackNJI11 to include "Keep memory in template" fix

DSS-2427 - Unduplicate P11NG CLI code both in P11NG-Common and P11NG-CLI

DSS-2431 - Upgrade SLF4J

Bug Fixes

DSS-1773 - P11NG CLI - 'oneTimePerformanceTest' action with ShortLived RSA key causes process crash

DSS-2409 - Apache HttpClient not deployed with signserver.ear unless peers module included

DSS-2411 - Public key objects not removed with P11NG removeKey method

DSS-2413 - Key objects created when generating a wrapped key not explicitly removed

DSS-2414 - Unwrapped key not released properly after generating CSR

DSS-2416 - Unit test signature verification not checked properly in CMSSignerUnitTest